Attackers Install Highly Persistent Malware Implants On Cisco Routers 168
itwbennett writes: Researchers from Mandiant have detected a real-world attack that has installed rogue firmware on Cisco business routers in four countries. The router implant, dubbed SYNful Knock, implements a backdoor password for privileged Telnet and console access and also listens for commands contained in specifically crafted TCP SYN packets — hence the name SYNful Knock. In the cases investigated by Mandiant the SYNful Knock implant was not deployed through a vulnerability, but most likely through default or stolen administrative credentials.
Re:'highly persistent' (Score:5, Funny)
Hyperbole much?
Yes, we ALWAYS do, EVERY time, without fail and without exception.
Re: (Score:3)
Difference between factory reset and completely replacing the NVRAM, perhaps?
Re: (Score:1)
They're the same command, moron. And this is done via a "BIOS" (ROMMON) hack. That is as undetectable as anything can get in a Cisco device. (since there's no way to read it back)
Re: (Score:2)
And when you issue that command, what interprets it? Has that code that interprets the command been compromised? Are you sure?
Re: (Score:2)
My theory is this this is on the top of the box, in contrast to "lowly persistent", which would be on the bottom of the box. It is always goo to know where in the vertical hierarchy everything is!
Re: (Score:2)
Ah, but this isn't a standard advanced persistent threat, this is a new leading progressive radical extreme foremost precedent-setting brilliant smart flexible wide-scope refined intense dazzling acute severe maximum ultimate persistent threat.
(That's a standard APT, but machined from aircraft-grade aluminium, and painted tactical black).
Possible? (Score:1)
One could consider that it was a NSA tool that was re-appropriated by criminals that discovered it.
Re: (Score:2)
Not really. It is not that hard to modify router firmware. Maybe on the level of hacking a C64 ROM. I did that back when I was a kid. Sure, it may take you a few weeks and you need a box to experiment on and an a few common reverse-engineering tools, but that is basically it.
Where's the highly persistent part? (Score:1)
Does anybody know why this is HIGHLY PERSISTENT?, a firmware update wouldn't fix the issue?
Re: (Score:2)
Re: (Score:2)
reboot didn't fix it so highly persistent
Re: (Score:2)
well rommon is a debugger, so if you own that, you can inject yourself into IOS. It's not like IOS images are signed, or encrypted... Not that it matters i guess, everyone has to decrypt to RAM at some point.
When you can't trust your hardware, you are basically fucked, but yeah IOS should be signed at least.
Re: (Score:2)
That would be simple: Patch the firmware update to protect it. Not new, not special and not difficult to do for somebody competent.
Re: (Score:1)
Re: (Score:2)
I am not surprised. Businesses are never forward-thinking these days when it comes to technological advances that do not directly translate into more revenue.
Re: (Score:1)
Because it's done via an upgrade ROMMON, which has no verification method on a running system. Thus, persistent and undetectable. Once installed, it can prevent it's removal.
Really? (Score:4, Funny)
ACK! That pun was SYNful too!
Re: (Score:2)
The only reason I come to /. anymore. This is where I grep all the puns.
Why do we still trust the manufacturer? (Score:1)
It's about time everyone had a long hard look at the software in their systems. Are they open enough for you to make the necessary fix should a problem arise?
I am by no means a tech geek, but I have DD-WRT on my routers because I can actually change the things I need the router to do. Disabling features in the interest of making more money in a higher end model is kinda dickish, but when you realize that the same dickishness (pardon the crude grammar) is likely responsible for hardcoded logins, it's a sad
Re:Why do we still trust the manufacturer? (Score:4, Insightful)
I am by no means a tech geek, but I have DD-WRT on my routers because ...
No offence but the fact that you are comparing your DD-WRT home router with a Cisco infrastructure device and asking why we trust these vendors really highlights your comment.
Hardware wise there is no comparison between Cisco business & infrastructure devices and what people normally load a variant of Linux on. I'm not saying it couldn't be done, but the Cisco IOS (and Juniper's OS) is an extremely specialized OS designed along with the hardware to serve a specific function.
Now I will say that lately they are moving to more modular application based products (layer 4+) which are far more software based on marked up hardware, but for Core routers and switches (later 2/3 devices) there isn't really a quality substitute other than like in kind vendors hardware. At this point you just can't really "build your own" hardware and OS combo which can truly compete and be open source at the same time.
Re: (Score:2)
Hardware wise there is no comparison between Cisco business & infrastructure devices and what people normally load a variant of Linux on.
That used to be true, but now we have multiple PCI-E buses in our PCs and they actually have a staggering amount of bandwidth. What's missing now isn't appropriate backplanes but appropriate expansion cards. Someone should cook up a standard for routers based on ATX PCs, but instead of the expansion coming off the side of the motherboard where the ports are located, it would be across the whole top side of the motherboard. Plan for, say, 8U. Then you could also build machines which used riser cards to get o
Re: (Score:2)
by the time you get all the pieces assembled and working together and certified as working, it will be obsolete and you can throw it away and start over again
Re: (Score:2)
There are some fundamental things about enterprise networking that you're simply not grasping. That, or you're a troll, which I'm starting to find much more likely.
Re: (Score:2)
And at that point the level of engineering you are doing for the parts brings you back to bespoke purpose built hardware - now you need an OS and application which can manage it all which doesn't' yet exist for that hardware. All you would be doing is re-inventing the wheel to compete with the existing suppliers.
so again back in the same camp
Re: (Score:2)
And at that point the level of engineering you are doing for the parts brings you back to bespoke purpose built hardware - now you need an OS and application which can manage it all which doesn't' yet exist for that hardware.
If only you knew what you were talking about. You'd add support for the I/O chips to Linux (or whatever) as well as for the expansion cards. They would need a driver no matter what OS you meant to use them with, even Cisco IOS. And using PCI-E and a basically stock PC (but again, with a new chipset if necessary would explicitly avoid that problem!
Re: (Score:3)
I think you're on the right track. There's a methodology underway that has enough momentum that it's got it's own buzzword: SDN -- Software Defined Networking [wikipedia.org]
it uses the very architecture you're suggesting: essentially a bunch of PCI cards working to form a network switching matrix.OpenFlow [wikipedia.org] is a standardized communications interface for controlling systems like SDN. Interesting reading.
Re: (Score:2)
Answer a question since everyone needs a million dollar router according to you http://tech.slashdot.org/comme [slashdot.org]...
That's not my comment. You missed, jackass.
Re: (Score:1)
Re: (Score:2)
Hardware wise there is no comparison between Cisco business & infrastructure devices and what people normally load a variant of Linux on. I'm not saying it couldn't be done, but the Cisco IOS (and Juniper's OS) is an extremely specialized OS designed along with the hardware to serve a specific function.
IOS is a monolithic disaster that runs completely in ring 0. Hardly something to be proud of. Juniper is BSD with a much more sane architecture.
Now I will say that lately they are moving to more modular application based products (layer 4+) which are far more software based on marked up hardware, but for Core routers and switches (later 2/3 devices) there isn't really a quality substitute other than like in kind vendors hardware. At this point you just can't really "build your own" hardware and OS combo which can truly compete and be open source at the same time.
The only thing general purpose computers don't have are specialized ASICs to perform table lookups and forward at scale. The way things are going with SDN routers will be nothing more than GPU like express interface cards that connect to a chassis backplane before too long.
Re: (Score:2)
The amount of RAM's the biggest difference and software to address it. Nothing more.
So you say that cisco routers and home pcs have the same video cards, the same USB subsystems, the same power supplies? This is great, I'm looking forward to playing some high performance video games on a cisco router.
Re: (Score:2)
no, they are not. routers do packet filtering in hardware
certainly you can route with a PC, but without hardware filtering, you're slowing down the traffic
Re: (Score:2)
"routers do packet filtering in hardware"
Every 82599 network card in my PC does hardware-level packet filtering, try again.
Re: (Score:2)
http://www.ntop.org/products/p... [ntop.org]
Okay, there you go.
Re: (Score:2)
A very low-end Cisco router could be described as "dual NIC/dual homed pc's with RAM + an OS." Most Cisco routers can take modules and WAN cards to expand their functionality beyond the one or two built-in NICs. Some Cisco routers don't even have NICs, just module and/or WAN slots.
http://www.cablesandkits.com/cisco-modules-c-50_83.html [cablesandkits.com]
Re: (Score:2)
Can your old PC can do what a $17,500 Cisco router can do?
The Cisco 4451-X offers a multicore CPU architecture running modular Cisco IOS XE software that dynamically adapts to the changing needs of your branch-office environment. The separation of the control and data planes provides the ability to deliver application-aware network services while maintaining a stable platform and a high level of performance during periods of heavy network load. With the ability to integrate application-aware services and the ability to scale performance without a complete equipment upgrade, the Cisco 4451-X offers exceptional total cost of ownership (TCO) savings and network agility through the intelligent integration of market-leading security, unified communications, and application services.
https://www.cdw.com/shop/products/Cisco-4451-X-Integrated-Services-Router-Application-Experience-with-Voice/3641687.aspx [cdw.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If you can deliver a product that is easier to maintain and cheaper than the largest network gear provider to have ever existed, why aren't you a billionaire via eating Cisco's lunch?
The $1M Cisco router doesn't take up two rows of equipment row, but it does require very precise wiring between internal components and has a PITA reputation to maintain. Google workaround to that is to implement the same router functionality with standard equipment. This is slightly more expensive than a single router, easier maintain in the long run and allows the implementation of newer technologies to replace existing parts when they become available.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You are an intentional troll aren't you? You say one thing, then refute it with another, are called out on your inconsistency and the best you have is an unsolicited personal attack.
You're trolling me with your circular arguments, misrepresentations of what I wrote and personal attacks against me. You can't even reply to correct comment! If you're complaining about being an AC on /., turn in your geek creds and don't let the door hit your ass on the way out.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Old news - even already reported by Cisco. (Score:4, Informative)
Cisco already published security advisory on that a month ago:
http://tools.cisco.com/securit... [cisco.com]
Attackers required either valid admin credentials or physical access to device to replace firmware. Such attacks were understood for a long time.
Nevertheless it's interesting to observe increase in attacks against infrastructure itself, rather than bandwidth.
Re: (Score:2)
Indeed. Patching firmware when you have control over the hardware (or admin privileges) is something every self-respecting firmware coder and hacker can do. Not special. At all.
Re: (Score:2)
they are riding what is probably already there, in the target network.
Re: (Score:2)
The thing is, a telnet server can be done in very little code. An SSH server is a whole different sort of beast. And in fact, telnet is adequate here, just use a good password. If somebody is snooping on the connection, chances are they already know of the compromise and you are not telnetting into the box you think you are.
Re: (Score:2)
True.
However, these devices are typically on their own private networks that only has traffic on it from 'authenticated users' to start with. So the idea is that you don't run SSH on this device that has so little GP computing power that you'll watch and wait for your characters to echo back at you while they are encrypted/decrypted and instead just use a less secure layer 3 protocol because you already trust layer 2 implicitly
Most routers/switches have only the most rudimentary process for general purpose
THIS... (Score:1)
... is why all* devices where the end user reasonably expects that he "owns/controls" the device need to have a way for end users to do a "real" factory-reset.
*Super-cheap devices which are literally cheaper to replace than manage may be exceptions. With the "Internet of things" you may see future "smart" devices that cost less than $1 to replace.
Re: (Score:2)
The price argument is a bad one, it turns into just the excuse they use for not making a proper product.
all this is useless without images (Score:2)
show us the infection! I suspect it's in the bootroms (rommon), and it can insert into any IOS during the unzipping of IOS into ram (#######) ..
So Protect your Admin passwords.... (Score:3)
Problem solved... Just be careful about administrative access controls...
Now I know a bunch of folks who don't lock down their Cisco gear before they put it into production and they get what they deserve. But for Pete's sake, you simply MUST protect your equipment and that means keeping control of administrative credentials on these systems. Personally, I'd have all primary network equipment on a totally separate network infrastructure in the first place so the general population at a site didn't have direct access to the network equipment administrative interfaces, PLUS I would be very careful about who had access to both the network and credentials necessary to access the equipment. Not to mention I'd pretty much lock down the TFTP resources on that network so only approved and fully vetted firmware ever got where it could be flashed.
I worked for a company that didn't password protect their Cisco VTP domain on their switches or change the default admin passwords and used telnet consoles. Yea it was easy to add a switch, just wire the thing up and volia you got the VTP domain configuration pushed, worked great until an employee plugged in a factory fresh switch and deleted all the VLANS he saw on it. He unknowingly wiped the whole company's switching fabric clean (without backups, even in hard copy). It took 3 days to recover, during which time little business got done. They where extremely stupid.
So, if you don't at least override the administrative defaults or don't manage your administrative credentials carefully, you are stupid and you get what you deserve in my book.
Re: (Score:2)
Indeed. "Problem located between keyboard and chair". The usual reason for such extreme security problems.
Re: (Score:3)
I am waiting for this to happen. Remote admin is only available on this port. That way you can have a secondary secure network for upgrading. Even if that is then connected to the net via a secondary router it would be easier to secure. When designing my home network I plan I running three networks.
One open wireless AP for guests
two a wired/ wireless network for my use. Netflix, smart tv etc, etc
Third secure network accessible to the outside only through secure Vpn etc. for iot devices, cameras, smart h
Re: (Score:2)
I already do this at home, only I'll warn you it's expensive to buy the managed switches you will need.
I've been using the old Linksys small business switches which are way out of support, have a quirky web interface that requires a very old version of IE to actually use and are generally limited to 100BaseT speeds. However, it allows me to have a switch fabric that is both redundant and available at all the points I need in my home. I have two active routers, both are OpenWRT based, one that faces my ISP
Re: (Score:2)
...Personally, I'd have all primary network equipment on a totally separate network infrastructure in the first place...
I wonder: What sort of equipment would you use for connecting the "primary network equipment" to the rest of the infrastructure?
Re: (Score:2)
Separate Infrastructure != separate equipment. Logical separation != Physical separation.
I'd keep ALL administrative interfaces on a separate VLAN which does not logically connect to the network used by the rest of the world except at known points which are firewalled, controlled and monitored. Access to this VLAN would be limited to network admins who presented valid up to date credentials.
Re: (Score:2)
Separate Infrastructure != separate equipment. Logical separation != Physical separation.
I'd keep ALL administrative interfaces on a separate VLAN which does not logically connect to the network used by the rest of the world except at known points which are firewalled, controlled and monitored. Access to this VLAN would be limited to network admins who presented valid up to date credentials.
If you consider firmware compromise, you have to forget about the isolation given to you by firewalls and VLANs. VLANs are only a logical separation, A VLAN is just a couple of extra bytes added to each network packet that you hope whatever is on the wire will honor. If the firmware of your network equipment is compromised, you can't depend VLAN isolation being honored.
Re: (Score:2)
For Pete's sake... I'm pretty sure that nobody is going to sneak in and comprise my firmware, unless of course they are a duly authorized administrative type and in that case the gig is up anyway, they can do *anything* they want on my network equipment if they can load firmware. The idea in that case is to MONITOR and catch the fact that unauthorized firmware has been loaded.
Look there is NOTHING you can do to be 100% secure. One thing you simply cannot do anything about is your approved administrators.
Re: (Score:2)
Re: (Score:2)
Problem solved... Just be careful about administrative access controls...
Wouldn't help you at all if the malware was installed in-transit before it arrived at your premise.
That's why I specify MONITORING my network, to catch such stuff happening should it slip in.... But if you are not managing the configuration of your firmware images (i.e. re-flashing them before you put them into production) you have a serious issue with configuration management...
I want the persistent memory to be removable (Score:2)
If I'm paying 500~thousands of dollars for a big Cisco router then is it so much to ask for the persistent memory to be a removable SD card? The only writable memory that persists on a reboot should be removable and scannable in a third party system. Pull the card, check it out... maybe flash replacement firmware to the card separately, then plug it back into the router.
I generally have this attitude with any firmware in any computer. Viruses are getting uploaded to them and how is the antiviral supposed to
Re: (Score:2)
I think its more a question of people not talking about it more than anything. The technology and cost structure is not a problem.
I've never heard any device manufacturer talk about it.
And really this IS the solution to firmware virus issue. I mean... I could even go a step farther and use those SD cards with the write lock switch. I'm not sure how those switches work... whether they literally hardware lock the card or simply tell the machine not to write to the card. If the former than that is a dandy way
Re: (Score:1)
Only an idiot exposes a Linux box directly to the Internet. [openbsd.org]
Re: (Score:2)
From TFA: "Routers don't typically get the same level of security attention as employee workstations or application servers that companies actually expect to be attacked. They're not protected by firewalls and don't have antimalware products running on them."
Huh?
Last time I checked the whole point of the router was that it's a limited-purpose device and it's management access was highly restricted, both in terms of credentials to access the management interface and of the networks that the management interface will communicate with.
Re: (Score:2)
Well, that is the way people with an actual clue set it up. They may only ssh to the box with everything else off and a limited IP-range allowed for the source, or may use the serial port, via direct connection ("go there") or a hardened terminal server.
Unfortunately, many networking people are cheap and clueless and do what is most convenient. This is really the fault of management that hired cheaper than possible personnel, as has gotten so common in IT these days.
Re: (Score:2)
That's what they teach in Cisco school, that you should be able to manage your entire enterprise from your desk. An instructor told us that you should use the same logon credentials throughout your enterprise because maintaining a full list was "impossible". Even on Cisco's enterprise management software there was no provision for expiring or rotating admin credentials, and the CCNIdiots gave me a puzzled look when I asked about it because they "couldn't imagine why anyone would ever want to do that."
Re: (Score:2)
Fascinating. What an epic fail. I guess Cisco really does not understand security at all. Or they have some collaboration with the NSA to make sure that compromising one system (the network admin's) is enough to get into everything.
Re: (Score:2)
Last time I checked the whole point of the router was that it's a limited-purpose device and it's management access was highly restricted, both in terms of credentials to access the management interface and of the networks that the management interface will communicate with.
Yes, and they typically don't have anti-virus or get as much scrutiny as a workstation. What's your point?
Re: (Score:1)
So your fix is to replace Cisco appliances entirely with PCs. Could you point me towards a PC offering 60 Tbit/s of switching capacity? Heck, can you point me towards a standard PC that can push 60 Tbit/s through the processor?
http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/datasheet-c78-729404.html
Re: (Score:2)
Re: (Score:1)
That's a SWITCH, not a ROUTER. There are Tbit routers on the market, but they are not moving packets with a general purpose CPU.
Re: (Score:2)
No, how about we just replace IOS? The hardware's perfectly fine, it's just Cisco's OS that is an unmitigated piece of rotting carp.
Re:Router Security (Score:5, Insightful)
Routers don't typically get the same level of security attention as employee workstations or application servers that companies actually expect to be attacked.
Well no, because you have them racked in a locked cage in a locked room in a restricted access Datacenter. You have network access restricted and strong authentication and logging/audit systems in place. It doesn't need much "security attention" because it's a hell of a lot easier to harden than a user workstation and has far fewer "attack surfaces" compared to an application server.
They're not protected by firewalls
Show me an Enterprise or Carrier grade router which doesn't have a firewall. They all have them, whether or not they're enabled along with other security policies, access lists, etc. is a matter of who is in charge of them.
and don't have antimalware products
Of course they don't. Why the fuck would they? They ought to be running a signed image file from the manufacturer, which is trivial to validate if you're THAT concerned about it.
Re: (Score:1)
Re: (Score:1)
I'll show you 50% of the Fortune 100 where I can SSH directly to a switch or router with no jump server in the dat path.
Sounds interesting. Please proceed!
Re: (Score:1)
The point is that routers are far more secure and more easily secured than workstations. How does your breaking the law 75,000 times via a secure mechanism that you somehow managed to acquire or illegally retain authenticated access to refute the point?
Re: (Score:1)
And then for "remote management" they put a dialup modem on the console (or aux) port with a stupid simple password that isn't dependent on TACACS, etc. (because they need to be able to login when the network is fubar and cannot talk to those systems)
Re: (Score:2)
Cisco IOS routers themselves have an "autosecure" command that is essentially wizard-style checklist that does indeed lock everything down pretty well by turning off everything that you don't think you need.
NXOS takes this a step further by having all features off by default, and you enable them as you need them.
Although IOS has a ton of services on by default (for example, eigrp, cdp) not all of them are actively listening unless you explicitly configure them, but still, turning them off is a good idea. IO
Re: (Score:2)
Re: (Score:2)